[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

Chris Steipp csteipp at wikimedia.org
Tue Jul 16 17:34:41 UTC 2013 

Thanks Philippe, that does explain it. This "feature" was actually
implemented here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=14220, which
intentionally made setting $wgCheckFileExtensions = false allow any
file extension to be uploaded, regardless of how
wgStrictFileExtensions is set. I'll make sure the documentation on
those is a little more clear.

I'll also check with the developer community and see if there is
consensus that this is still the desired functionality.

On Tue, Jul 16, 2013 at 12:05 AM, Philippe Teuwen <phil at teuwen.org> wrote:
> Hello,
>
> Actually now I see I had $wgCheckFileExtensions = false; left on the
> config file.
> I was abused by the fact that under Firefox & Chrome, pdf upload was
> properly banned and documentation of
> https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions and
> https://www.mediawiki.org/wiki/Manual:$wgStrictFileExtensions
> seem to indicate that $wgStrictFileExtensions was enough to enforce the
> check.
>
> So what is the supposed behavior of
> $wgCheckFileExtensions = false;
> $wgStrictFileExtensions = true;
> ??
>
> Here are the relevant parts of LocalSettings.php
> I'm using the regular Special:Upload page
>
> $wgEnableUploads  = true;
> $wgCheckFileExtensions = false;
> $wgGroupPermissions['*']['createaccount'] = false;
> $wgGroupPermissions['*']['edit'] = false;
> $wgGroupPermissions['*']['read'] = false;
>
>
> On 07/15/2013 07:54 PM, Chris Steipp wrote:
>> Hi, I'm working on reproducing this.
>>
>> The file extension is checked in UploadBase::getTitle(). If
>> $wgCheckFileExtensions and $wgStrictFileExtensions are both true
>> (which by default they are), then the file should be rejected during
>> the upload process. If that check is being bypassed, then we have a
>> serious issue we need to get patched asap.
>>
>> Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to
>> true on the system where you're seeing this behavior? Also, are you
>> using UploadWizard, or another extension to trigger this, or the
>> standard Special:Upload page?
>>
>> On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <krenair at gmail.com> wrote:
>>> CCing security at wikimedia.org
>>>
>>> On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <phil at teuwen.org> wrote:
>>>> On 07/15/2013 01:00 PM, Henri Salo wrote:
>>>>> On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
>>>>>> Package: mediawiki
>>>>>> Version: 1:1.19.5-1
>>>>>> Severity: normal
>>>>>> Tags: security
>>>>>> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>>>>>>
>>>>>> Default allowed extensions for file upload are only:
>>>>>> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
>>>>>>
>>>>>> Under Firefox & Chrome it's indeed impossible to upload a pdf file
>>>>>> under
>>>>>> those settings.
>>>>>> But under IE it's possible without warning or error.
>>>>>>
>>>>>> A quick inspection seems to indicate that the file extension is only
>>>>>> checked on the client side via javascript and IE does not do a proper
>>>> job.
>>>>>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
>>>>>> array.
>>>>>>
>>>>>> IMHO file extension checks must also be enforced on server side, and,
>>>>>> if
>>>>>> possible, a js workaround should be provided for proper handling in IE.
>>>>>> Malicious pdfs do exist...
>>>>>>
>>>>>> Best regards
>>>>>> Phil
>>>>> Have you notified upstream about this issue?
>>>>>
>>>>> ---
>>>>> Henri Salo
>>>> No
>>>> Phil
>>>>
>>>> _______________________________________________
>>>> Pkg-mediawiki-devel mailing list
>>>> Pkg-mediawiki-devel at lists.alioth.debian.org
>>>>
>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel
>>>
>

More information about the Pkg-mediawiki-devel mailing list